NOTICE: ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R).

Document Conventions

Command descriptions use these conventions:

boldface font

Commands and keywords are in boldface.

italic font

Arguments for which you supply values are in italics.

[ ]

Elements in square brackets are optional.

[ x | y | z ]

Optional alternative keywords are grouped in brackets and separated by vertical bars.

Screen examples use these conventions:

screen font

Terminal sessions and information in the displays are in screen font.

boldface screen font

Information you must enter is in boldface screen font.

italic screen font

Nonprinting characters, such as passwords, are in angle brackets.

< >

Default responses to system prompts are in square brackets.

!, #

An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.

This document uses the following conventions:

Note: Notes contain helpful suggestions or references to material not covered in the manual.

Caution: Cautions indicate that in this situation, you might do something that could result in equipment damage or loss of data.

Warning: Warnings indicate a potential situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the Regulatory Compliance and Safety Information document that accompanied this device.

NGEW Architecture Overview

Figure 1. Enterprise Network Architecture

Enterprise networks must adapt to meet new and evolving business requirements. The introduction of cloud services (private, public, or hybrid) brings new challenges to current enterprise network designs. With a more distributed workforce, the proliferation of bandwidth-intensive video-enabled endpoints, and the consolidation of servers into a few centralized locations, require networks to carry more traffic, with increased efficiencies, while offering the same or a high level of performance and availability.

The Cisco
® Next Generation Enterprise WAN (NGEW) is an end-to-end architecture that provides foundation building blocks for next-generation enterprise networks. The hierarchical design provides the scalability required by large enterprises, which can be extended and replicated throughout multiple regions and theaters. This consistency leads to ease of deployment, maintenance, and troubleshooting.

Figure 2. NGEW Regional WAN Topology

A logical starting point is the regional WAN (RWAN), where all branch-office locations connect through various access technologies, such as wireless (third- and fourth-generation [3G and 4G, respectively]), DSL, and Multiprotocol Label Switching (MPLS), to the highly scalable aggregation routers at the enterprise interconnect. The enterprise interconnect is the location where traffic from the RWAN is aggregated to the in-theater and global WAN cores. In addition, the enterprise interconnect links all the other components of NGEW, including local data centers and campus, as well as the enterprise edge, which is the demarcation point between enterprise networks and any external network service (for example, Internet, cloud, and voice).

• Ultra-high-end branch office: Based on the high-end branch office with increased capacity and higher availability

In addition to providing advanced routing functions, one of the primary design goals of NGEW is to build a network foundation that can reliably support new applications and services, including those in the Cisco Borderless Network - application velocity, medianet, IPv6, and mobility. Customers will benefit from investing in a Cisco network design that has gone through rigorous testing, and scales to support new applications and services to address their continuously evolving business requirements.

RWAN Deployment

Overview

The chosen architecture has all types of RWAN branch offices connecting into the same aggregation at the headend. RWAN aggregation has two types; large-scale or high-end aggregation terminates 5000 branch offices, whereas standard aggregation terminates 1500 branch offices. Tables 1 and 2 show the branch-office mix for both types of aggregation.

Table 1. Standard Aggregation

Branch-Office Type

Branch-Office Mix (%)

Standard-Scale Aggregation (1500 Branch Offices)

Standard

80

1200

Mobile

20

300

Table 2. High-End or Large-Scale Aggregation

Branch-Office Type

Branch-Office Mix (%)

Large-Scale Aggregation (5000 Branch Offices)

High end and ultra high end

5

250

Standard

80

4000

Mobile

15

750

The different types of branch offices can have different types of WAN connectivity to the headend. Branch offices can have 3G or 4G connectivity, service provider MPLS connectivity, or Internet connectivity to reach the headend. In this design mobile branch offices use the Internet as the connectivity for the headend. The standard branch offices have two WAN connections, the primary one being the MPLS Layer 3 VPN (L3VPN) and the Internet as the backup. The high-end branch offices have two MPLS service provider connections for high-bandwidth, highly available connectivity to the headend.

Security is one of the critical features of this design. To secure the branch-office connectivity to the headend over two different types of clouds, two different encryption technologies are used. Group Encrypted Transport VPN (GETVPN) blends well with the L3VPN, whereas Dynamic Multipoint VPN (DMVPN) is the more suitable application over the Internet. GETVPN and DMVPN deployments are described in the following sections.

Redundancy and high availability are the main components of this architecture. And with heavy emphasis on voice and video in the branch offices as well as headend, features such as Performance Routing (PfR), quality of service (QoS), and Cisco Wide Area Application Services (WAAS) are deployed to achieve the best user experience.

Standard Aggregation

The standard aggregation design for the RWAN has the primary link to the service provider MPLS cloud for connectivity to the branch offices (Figure 3). The backup link for standard branch offices is through the Internet. The WAN links mentioned are both Ethernet. Ethernet is becoming a dominant carrier handoff in many markets, and it is relevant to include Ethernet as the primary media in the tested architectures. Most of the discussion in this guide can also be applied to non-Ethernet media (such as T1/E1, DS-3, OC-3, and so on), but they are not explicitly discussed in this design.

Figure 3. RWAN - Standard Aggregation

Deploying Group encrypted Transport VPN for Standard Aggregation

The MPLS cloud interconnects the headend to the branch-office sites. The customer edge (CE) routers on each site act as group members (GMs). The headend customer edge router is also acting as a group member. All these routers are grouped into a Group Domain of Interpretation (GDOI) group. Therefore the keyserver (KS) and group members are part of the same VPN.

In this design the headend customer edge routers that are acting as headend group members are Cisco ASR 1000 Aggregation Services Routers. For standard aggregation the ASR configuration shown in Table 3 is used.

PKI is the more secure and scalable method of authentication. The following steps must be repeated on all devices in the network.

Note: rsa-sig is the default authentication method for an ISAKMP policy.

Unique Rivest, Shamir, and Adelman (RSA) keys must be generated on all keyservers and group members as follows:

crypto key generate rsa general keys label PKI_KS modulus 4096

All keyservers and group members must be configured with a trustpoint:

crypto pki trustpoint HE-PKI

! The URL is the address of the PKI server

enrollment url http://10.4.226.202:80

revocation-check none

! PKI_KS is the label of the generated keys

rsakeypair PKI_KS

Use the following commands to authenticate to the Certificate Authority (CA) server and download the signed certificate. HE-PKI is the trustpoint.

crypto pki authen HE-PKI

crypto pki enroll HE-PKI

Step 3. Configure IP Security (IPsec) parameters:

crypto ipsec transform-set 3DES esp-aes 256 esp-md5-hmac

!

crypto ipsec profile GN

set security-association lifetime seconds 3600

set transform-set 3DES

!

Step 4. Install the RSA key used for the rekey:

! REKEYRSA" is the name of the key.

crypto key generate rsa modulus 1024 label REKEYRSA

Step 5. Configure the GDOI group:

crypto gdoi group GN2

identity number 1102

server local

rekey algorithm aes 128

rekey lifetime seconds 86400

rekey retransmit 10 number 2

rekey authentication mypubkey rsa REKEYRSA

rekey transport unicast

registration interface Loopback0

sa ipsec 1

profile GN

match address ipv4 ACL_GN2

no replay

! Source Address of the rekey packet

address ipv4 10.4.11.210

Step 6. Configure an access control list (ACL).

Encryption of the traffic between group members is done based on the access list configured in the GDOI group. Everything that is allowed in the ACL is encrypted. Anything being denied is unencrypted. GDOI and other control traffic such as Network Time Protocol (NTP), Telnet, Simple Network Management Protocol (SNMP), and syslog are denied in the access list, so they are transported without encryption. GDOI uses User Datagram Protocol (UDP) port 848 to communicate with keyserver and group members. In certain cases group members need to go through other group members to reach the keyserver. Therefore, UDP 848 port messages are unencrypted. Control messages for routing or multicast protocols should also be allowed to pass through group members without encryption. Any control packets that need to be traversed between the keyserver and group members before the Transport Encryption Keys (TEKs) are exchanged need to be excluded in the ACL.

Group Member Configuration on the Cisco ASR 1000 (aggregation customer edge)

In addition to ISAKMP and authentication, the group member needs the following configuration to enable GDOI and download the policy:

Step 1. Configure IKE phase 1.

IKE phase 1 configuration comprises two important parts: configuring the ISAKMP policy and the authentication method. The configuration of IKE phase 1 follows:

crypto isakmp policy 10

encr 3des

hash md5

group 2

lifetime 300

authentication rsa-sig

Step 2. Configure PKI and download certificates.

PKI is the more secure and scalable method of authentication. The following steps must be repeated on all devices in the network.

Note: rsa-sig is the default authentication method for an ISAKMP policy.

Unique RSA keys must be generated on the keyserver and group members as follows:

crypto key generate rsa general keys label PKI_KS modulus 4096

All keyservers and group members must be configured with a trustpoint:

crypto pki trustpoint HE-PKI

! The URL is the address of the PKI server

enrollment url http://10.4.226.202:80

revocation-check none

rsakeypair PKI_KS

Authenticate to the CA server and download the signed certificate:

crypto pki authen HE-PKI

crypto pki enroll HE-PKI

Step 3. Configure the GDOI group to download the policies from the keyserver:

crypto gdoi group GN2

identity number 1102

! Key server address

server address ipv4 10.4.11.210

crypto map GN2 local-address Loopback0

crypto map GN2 10 gdoi

set group GN2

Step 4. Configure routing on the group member (Figure 4).

Figure 4. Routing design for Standard Aggregation

The group member runs external Border Gateway Protocol (eBGP) to connect to the service provider. The internal network of the enterprise runs Enhanced IGRP (EIGRP). Route redistribution is configured between EIGRP and BGP. Here is the routing configuration:

router eigrp 300

distribute-list Block-CE in

default-metric 100000 100 255 1 1500

network 10.4.0.0 0.0.255.255

redistribute bgp 65511

passive-interface default

no passive-interface Port-channel1

no passive-interface GigabitEthernet0/0/1

eigrp router-id 10.4.11.204

!

router bgp 65511

bgp router-id 10.4.11.204

bgp log-neighbor-changes

neighbor 10.4.81.1 remote-as 65000

!

address-family ipv4

network 10.4.81.0 mask 255.255.255.252

redistribute eigrp 300

neighbor 10.4.81.1 activate

exit-address-family

!

Deploying DMVPN for Standard Aggregation

Mobile branch offices connect to the headend using Internet connectivity. This link is the primary and the only link to connect to the headend. Standard branch offices use the Internet connection as the backup link to connect to the headend. In both cases this design has DMVPN to secure the links.

The authentication method on the hub is both certificate and preshared. Although certificate is the preferred method, it might not be feasible for some of the mobile client routers to download the certificate. In that case there are two options: either have the certificate loaded on the box before installing it on the mobile site or use the preshared key to authenticate the peer.

The routing protocol used over DMVPN is BGP. The hub router also acts as the route reflectors. All spokes are defined as route-reflector clients. Route redistribution is configured between EIGRP used internally in the RWAN aggregation and BGP or EIGRP with the spokes over the DMVPN tunnel.

The routing protocols in this design are either BGP or EIGRP. For deployments with more than 1000 spokes, BGP is recommended. For fewer than 1000 spokes, EIGRP can be used. Following is the BGP configuration on the hub. If the BGP autonomous system (AS) is unique for each of the standard branch-office routers, you must use eBGP instead of iBGP. Here is the configuration:

router bgp 1000

bgp router-id 99.2.1.1

bgp log-neighbor-changes

bgp graceful-restart restart-time 120

bgp graceful-restart stalepath-time 360

bgp graceful-restart

timers bgp 120 480

redistribute connected

neighbor spoke1 peer-group

neighbor spoke1 remote-as 1000

neighbor spoke1 update-source Tunnel1

neighbor spoke1 route-reflector-client

neighbor spoke1 next-hop-self

neighbor spoke2 peer-group

neighbor spoke2 remote-as 1000

neighbor spoke2 update-source Tunnel1

neighbor spoke2 route-reflector-client

neighbor spoke2 next-hop-self

neighbor spoke3 peer-group

neighbor spoke3 remote-as 1000

neighbor spoke3 update-source Tunnel1

neighbor switch peer-group

neighbor switch remote-as 1000

neighbor switch update-source GigabitEthernet0/0/1

neighbor switch route-reflector-client

neighbor switch next-hop-self

neighbor 21.1.10.1 peer-group spoke2

neighbor 21.1.10.2 peer-group spoke2

If you use EIGRP as the routing protocol over the tunnels, it is recommended that you have all the spokes defined as EIGRP stub routers. On the headend the configuration follows:

router eigrp 10

network 192.168.0.0 0.0.255.255

network 200.0.0.0 0.255.255.255

no auto-summary

interface Tunnel1

bandwidth 1000000

ip hello-interval eigrp 10 500

ip hold-time eigrp 10 5000

ip summary-address eigrp 10 200.0.0.0 255.0.0.0 5 !

Deploying WAAS for Standard Aggregation

Cisco Wide Area Applications Services (WAAS) is centrally managed and requires one or more Cisco WAAS Central Manager devices that are physically located within the data center and accessible through a web interface.

Multiple Cisco Wide Area Application Engine (WAE) devices at one location can operate as a cluster. The routers performing the Web Cache Control Protocol (WCCP) redirection are responsible for load sharing across the various WAE devices within a cluster. WAAS high availability uses what is referred to as an N + 1 model. This name means that if N equivalent devices are required to support the required performance, then one additional device is required to provide redundancy.

In standard aggregation the Cisco WAE-674 appliance is used as the Cisco WAAS Central Manager deployed in the data center. The Cisco WAE-674 can manage up to 2000 devices. Cisco WAE Clustering with N + 1 redundancy is used for the WAE appliance devices deployed in the RWAN aggregation. The Cisco WAE-7371 appliance is used based on the hardware capacity. The sizing details are provided in Table 4. A more comprehensive, interactive WAAS sizing tool is available at cisco.com:
http://tools.cisco.com/WAAS/sizing.

Table 4. Sizing Details for Cisco WAE Devices

Device

Maximum Optimized TCP Connections

Maximum Recommended WAN Link (Mbps)

Maximum Optimized Throughput (Mbps)

Maximum Peers Devices

Cisco WAE-7341

12000

300

1000

1400

Cisco WAE-7371

50000

1000

2500

2800

The number of WAE appliances is determined based on the total number of users online during an hour window and the number of TCP connections per user. A minimum of two Cisco WAE-7371 appliances are required for the standard aggregation. Both devices are connected to the RWAN distribution switch.

Deploying Cisco WAAS Central Manager

In standard aggregation, Cisco WAAS Central Manager is deployed in the data center:

!Session into the WAE console with the default user/password is admin/default and run the setup.

!Select the device mode as Central manager

Step 2: Configure as central manager.

1. Application Accelerator

2. Central Manager

Select device mode [1]: 2

!Configure Default Gateway, NTP and DNS server Ip address

!Enable the Enterprise license after completing the setup save the configuration and reload the appliance.

!After reload enable the SSH. Enabling SSH requires the generation of the RSA key and enabling of the sshd service:

ssh-key-generate key-length 2048

sshd version 2

sshd enable

Deploying Cisco WAE in the Aggregation

Cisco EtherChannel technology is used in the Cisco WAE appliances to connect to the distribution switches. If the WCCP routers are Cisco ASR 1000 Series routers, then change the default setting of hash-source-ip to mask-assign. Make this change on the WAE devices, not on the routers.

This design uses a negotiated return generic routing encapsulation (GRE) tunnel from the WAE to the router. Traffic to be reinjected into the network uses a negotiated return WCCP GRE tunnel egress method back to the originating router. This method is preferred because it allows the WAE appliances to be located one or more routed hops away from the WCCP router. A default mask is used in the WAE in the configuration that follows.

Configuring Cisco WAE Appliance

Step 1. Configure the Cisco WAE-1:

!Session into the WAE console with the default user/password is admin/default and run the setup.

!Select the device mode as Application accelerator

Step 2: Configure as Application accelerator.

1. Application Accelerator

2. Central Manager

Select device mode [1]: 1

!Configure Default Gateway, NTP and DNS server Ip address

!Enable the Enterprise license after completing the setup save the configuration and reload the appliance.

!Configure the port channel interface required for etherchannel

!

interface PortChannel 1

ip address 10.4.226.131 255.255.255.224

exit

!

!Both Gig1/0 & Gig2/0 are members of portchannel 1

!

interface GigabitEthernet 1/0

channel-group 1

exit

interface GigabitEthernet 2/0

channel-group1

exit

!Configure portchannel as the primary interface

primary-interface PortChannel 1

!Configure the default gateway

ip default-gateway 10.4.226.129

!Configure the wccp router list and mask assign is used in the router list (10.4.11.204 is ip address of GETVPN CE, 10.4.11.205 & 10.4.11.206 is the ip address of DMVPN Hubs)

wccp router-list 1 10.4.11.204 10.4.11.205 10.4.11.206

! default wccp mask is src-ip-mask 0xf00 dst-ip-mask 0x0

wccp tcp-promiscuous router-list-num 1 mask-assign

! Configure GRE negotiated return WAE devices

egress-method negotiated-return intercept-method wccp

Step 2. Configure the WAE-2; repeat the previous steps. The IP address is configured as follows:

This design uses WCCP 61 inbound on LAN-facing interfaces to match unoptimized data sourced from the data center that is destined for clients at the WAN remote sites. WCCP 62 is used inbound on WAN-facing interfaces, matching optimized data sourced from the WAN remote sites.

Step 1. Confgure WCCP on the MPLS customer edge router:

! Create an extended access-list for the traffic which needs to be optimized

ip access-list extended WAAS-REDIRECT-LIST

deny tcp any any eq 22

deny tcp any eq 22 any

deny tcp any eq telnet any

deny tcp any any eq telnet

deny tcp any eq bgp any

deny tcp any any eq bgp

deny tcp any any eq 123

deny tcp any eq 123 any

permit tcp any any

!Create a standard access-list with WAE-1 & 2 ip address

ip access-list standard WAE

permit 10.4.226.132

permit 10.4.226.131

!Enable wccp 61,62 with redirect list and WAE access-list

ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list WAE

ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list WAE

Step 2. Enable WCCP redirection on the interface:

! Enable wccp 62 redirect on the WAN interface

interface GigabitEthernet0/0/0

ip address 10.4.81.2 255.255.255.252

ip wccp 62 redirect in

ip flow ingress

ip flow egress

ip pim sparse-mode

load-interval 30

negotiation auto

cdp enable

crypto map GN2

service-policy output WAN

! Enable wccp 61 redirect on the LAN interface

interface Port-channel1

ip address 10.4.226.2 255.255.255.252

ip wccp 61 redirect in

ip pim sparse-mode

ip tcp adjust-mss 1360

load-interval 30

no negotiation auto

Enabling WAAS on the DMVPN Hub (Cisco ASR 1000)

This design uses WCCP 61 inbound on LAN-facing interfaces to match unoptimized data sourced from the data center that is destined for clients at the WAN remote sites. WCCP 62 is used inbound on the tunnel interface, matching optimized data sourced from the WAN remote sites.

Step 1. Confgure WCCP on the DMVPN hub router. Do step 1 of "Enabling WAAS on the MPLS-CE"

Step 2. Enable WCCP redirection on the interface:

! Enable wccp 62 redirect on the tunnel interface for the DMVPN hub

interface Tunnel10

bandwidth 100000

ip address 10.3.0.1 255.255.224.0

no ip redirects

ip mtu 1400

ip wccp 62 redirect in

ip pim nbma-mode

ip pim sparse-mode

ip nhrp authentication cisco123

ip nhrp map multicast dynamic

ip nhrp network-id 101

ip nhrp holdtime 600

ip nhrp redirect

ip tcp adjust-mss 1360

load-interval 30

qos pre-classify

cdp enable

tunnel source GigabitEthernet0/0/0

tunnel mode gre multipoint

tunnel key 101

tunnel vrf Inet-public

tunnel protection ipsec profile DMVPN-profile

! Enable "wccp 61 redirect in" and "wccp 62 redirect out" on the LAN interface. WCCP 62 out is required on the LAN interface to support dynamic creation of spoke-to-spoke tunnels. In such case traffic from the WAN is intercepted with service 62 out configured on the lan interface

interface Port-channel1

ip address 10.4.226.18 255.255.255.252

ip wccp 61 redirect in

ip wccp 62 redirect out

no negotiation auto

end

Deploying QoS on Standard Aggregation

In standard aggregation the headend and the standard branch offices have six classes of service The QoS classes listed in Table 5 are used in this design. Further details about end-to-end QoS and remarking from 6 to 4 class are discussed in the NGEW QoS deployment guide.

Table 5. QoS Classes

Layer 3

Layer 2

Service Class

Per-Hop Behavior (PHB)

Differentiated Services Code Point (DSCP)

IP Precedence (IPP)

CoS

Network Control

CS6

48

6

6

Telephony

EF

46

5

5

Signaling

CS3

24

3

3

Multimedia conferencing

AF41, 42, and 43

34, 36, and 38

4

4

Real-time interactive

CS4

32

4

4

Multimedia streaming

AF31, 32, and 34

26, 28, and 30

3

3

Low-latency data

AF21, 22, and 23

18, 20, and 22

2

2

Operations, administration, and maintenance (OAM)

CS2

16

2

2

Bulk data

AF11, 12, and 13

10, 12, and 14

1

1

Scavenger

CS1

8

1

1

Default "best effort"

DF

0

0

0

Deploying QoS for Cisco ASR 1000 (MPLS-CE)

Step 1. Configure class maps:

! Configure the class maps, routing protocol used also should be included in the network control. BGP is not marked with dscp value by default, so NBAR is used to identify BGP traffic and dscp value is set to cs6.

class-map match-any VOICE

match ip dscp ef

class-map match-any VIDEO-RT-INTERACTIVE

match ip dscp cs4 af41

class-map match-any NETWORK-MGMT-OAM

match ip dscp cs2 cs6

class-map match-any STREAMING-SIGNALLING

match ip dscp cs3 af31

class-map match-any CRITICAL-DATA

match ip dscp af21 af22 af23

class-map match-any BULK-SCAVENGER

match ip dscp cs1 af11

class-map match-any BGP-Routing

match protocol bgp

!

! Policy map is configured to set the dscp value to cs6.

policy-map MARK-BGP

class BGP-Routing

set dscp cs6

! NBAR is enabled on the WAN interface connecting to the MPLS

interface GigabitEthernet0/1

ip address 10.4.81.2 255.255.255.252

ip nbar protocol-discovery

duplex auto

speed auto

media-type rj45

Step 2. Configure the QoS policy map:

! Policy map with queuing and sample bandwidth reservation (bandwidth percentage can be changed based on the traffic profile). Policy-map used for BGP marking is added in the class NETWOK-MGMT-OAM.

policy-map WAN-SP-CLASS-OUTPUT

class VOICE

priority percent 18

class VIDEO-RT-INTERACTIVE

priority percent 15

class NETWORK-MGMT-OAM

bandwidth percent 5

service-policy MARK-BGP

class STREAMING-SIGNALLING

bandwidth percent 17

class CRITICAL-DATA

bandwidth percent 15

class BULK-SCAVENGER

bandwidth percent 5

random-detect

class class-default

bandwidth percent 25

random-detect

Step 3. Configure shaping and apply the QoS:

! Shaping is done to make sure the load does not exceed the bandwidth subscribed from the provider. For MPLS aggregation 1000Mbps is recommended bandwidth, shaping is done for the same. The policy with queuing is applied as child policy.

policy-map Int-Gig-Aggr

class class-default

shape average 1000000000

service-policy WAN

interface GigabitEthernet0/1

ip address 10.4.81.2 255.255.255.252

duplex auto

speed auto

media-type rj45

service-policy output Int-Gig-Aggr

Deploying QoS for DMVPN Hub

For DMVPN, traffic shaping is configured in QoS for the backup link of the standard branch offices to the aggregation and primary link of the mobile branch offices. With limitations that exist today, the best approach is to group similar branch offices into one policy and shape on that group. Because both traffic policing and queuing are required, a two-level hierarchy is used: policing on the child level and shaping on the parent level.

Step 1. Configure class maps.

Class maps for the two types of branch offices are configured with different traffic types. In this design six traffic classes are used:

ip access-list extended MOBILE

permit ip any 50.1.0.0 0.0.255.255

ip access-list extended STANDARD

permit ip any 50.2.0.0 0.0.255.255

class-map match-any MOBILE

match access-group name MOBILE

class-map match-any STANDARD

match access-group name STANDARD

class-map match-any DATA

match ip dscp af21

class-map match-any INTERACTIVE-VIDEO

match dscp cs4 af41

match ip dscp cs4 af41

class-map match-any CRITICAL-DATA

match dscp cs3 af31

class-map match-any VOICE

match dscp ef

match ip dscp ef

class-map match-any NETWORK-CRITICAL

match ip dscp cs2 cs6

class-map match-any SCAVENGER

match ip dscp cs1 af11

match ip dscp cs3 af31

Step 2. Policy based on different traffic types:

policy-map STAND-BR

class VOICE

priority percent 10

class INTERACTIVE-VIDEO

priority percent 23

class CRITICAL-DATA

bandwidth percent 15

random-detect dscp-based

class DATA

bandwidth percent 19

random-detect dscp-based

class SCAVENGER

bandwidth percent 5

class NETWORK-CRITICAL

bandwidth percent 3

class class-default

bandwidth percent 25

random-detect

!

policy-map MOBILE-BR

class DATA

bandwidth percent 33

class CRITICAL-DATA

bandwidth percent 35

random-detect dscp-based

class SCAVENGER

bandwidth percent 2

class class-default

bandwidth percent 25

random-detect

!

Step 3. Configure parent policy to shape on the two different types of branch offices:

The mobile branch office has a Cisco 1941 Integrated Services Router, part of the Cisco ISR G2 router portfolio, with 3G wireless connection to the Internet as the WAN link and DMVPN for secure connectivity to the RWAN aggregation. Cisco WAAS Express (WAASX) embedded with Cisco IOS
® Software is used for WAN optimization, which is suitable for low-bandwidth (<2 Mbps) WAN links (Figure 5).

Figure 5. Mobile Branch Topology

Deploying Branch-Office CDMA

Step 1. Install the Code Division Multiple Access (CDMA) high-speed WAN interface card (HWIC) and register with the service provider using the Electronic Serial Number (ESN) found on the HWIC.

Step 2. Create a chat script for CDMA connection. Chat scripts are strings of text used to send commands for modem dialing:

chat-script cdma "" "atdt#777" TIMEOUT 30 "CONNECT"

Step 3. Apply the chat script to the line interface of cellular interface 0/1/0:

! Configure default route with vrf Inet-public to the Internet using dialer interface

ip route vrf INET-PUBLIC 0.0.0.0 0.0.0.0 Dialer1

Step 2. Configure the ISAKMP and IPsec. For the mobile branch office, preshared authentication is used in this design. If the PKI server is present in the demilitarized zone of the RWAN aggregation, you can also use PKI authentication:

!crypto keyring defines a pre-shared key to be used with specific vrf.

A standard branch office has a Cisco 2951 Integrated Services Router, part of the Cisco ISR G2 router portfolio, with a MPLS connection to the provider as the primary WAN link and DSL (asymmetric DSL [ADSL] or symmetric high-speed DSL [SHDSL]) as the backup connection to the Internet (Figure 7). Cisco Unified Communications Manager Express is used for providing IP telephony services to the branch office. Cisco Unified Communications endpoints, including the Cisco Unified IP Phone 9971 videophones, are included in this branch-office design. Voicemail service is provided to the branch office using the Cisco Unity
® Express Integrated Services Module (ISM-CUE) installed in the router. The Cisco WAE on Cisco Services-Ready Engine (SRE-WAE) module is used for enabling WAN optimization. A packet voice digital signal processor 3 module (PVDM3) provides videoconferencing services to the videophones registered to the Cisco Unified Communications Manager Express. Video deployment details with medianet features are provided in the Video Implementation guide. PfR deployment details are covered in the NGEW PfR Implementation guide.

Existing WAN links based on a Mutiple-T1 or serial interface can be migrated to Ethernet-based MPLS or Metro Ethernet services with a Cisco 2951 Integrated Services Router. The Cisco 2951 has three onboard Gigabit Ethernet interfaces that provide an easy migration option to an Ethernet-based WAN link. The Ethernet-based WAN link provides flexibility to add bandwidth. In the standard branch-office design, a 10-Mbps WAN link is used; it can be upgraded to 100 Mbps cost-effectively without new customer-premises-equipment (CPE) hardware. Traffic shaping needs to be configured in the QoS to ensure the load does not exceed the subscribed bandwidth from the service provider.

An example configuration for migrating from a 2T1 multilink to an Ethernet-based WAN link follows:

! Current configuration on the branch router

controller T1 0/0/0

cablelength long 0db

channel-group 0 timeslots 1-24

!

controller T1 0/0/1

cablelength long 0db

channel-group 0 timeslots 1-24

interface Multilink1

ip address 10.4.81.114 255.255.255.252

ip virtual-reassembly in

ppp multilink

ppp multilink group 1

interface Serial0/0/0:0

no ip address

encapsulation ppp

ppp multilink

ppp multilink group 1

max-reserved-bandwidth 100

interface Serial0/0/1:0

no ip address

encapsulation ppp

ppp multilink

ppp multilink group 1

no cdp enable

! Ethernet WAN link configuration. In this example bandwidth offered by provider is 10Mbps. 10 Mbps will be used for the QoS bandwidth calculation.

interface GigabitEthernet0/1

bandwidth 10000

ip address 10.4.81.114 255.255.255.252

duplex auto

speed auto

media-type rj45

Routing Deployment for Standard Branch Office

Step 1. Configure BGP as the routing protocol with the MPLS provider edge as the neighbor:

! Configure the BGP with the AS number given by the MPLS service provider.

!10.4.82.25 is the IP address of the MPLS-PE router.

!10.4.82.26 is the IP address of the GIG-E interface connected to the MPLS

Step 3. Configure the GDOI group and associate it with the crypto map:

! Create GDOI group and configure the Key server IP address.10.4.11.210 and 10.4.11.211 are the IP address of the primary and secondary Key server. The identity number is same in all the Group Members and Key server.

crypto gdoi group GN2

identity number 1102

server address ipv4 10.4.11.210

server address ipv4 10.4.11.211

!

!Create a crypto map and associate the source interface and GDOI group

!

crypto map GN2 local-address Loopback0

crypto map GN2 10 gdoi

set group GN2

Step 4. Apply the crypto map in the MPLS WAN interface:

interface GigabitEthernet0/1

bandwidth 100000

ip address 10.4.82.26 255.255.255.252

crypto map GN2

Deploying DMVPN for Standard Branch Office

PKI-based authentication can be used for DMVPN with a standard branch office because the certificate can be enrolled with the PKI server using the MPLS WAN link. The procedure is the same as that for the mobile branch office except PKI authentication is used in the standard branch office.

Step 1. Configure the ISAKMP and IPsec:

! Configure ISAKMP policy with AES 256 bit encryption and authentication PKI. The cli "authentication rsa-sig" is not shown below since that is the default authentication method.

crypto isakmp policy 10

encr aes 256

group 2

!ISAKMP transform set is defined here. ESP with 256 bit AES algorithm is used for encryption and ESP with SHA HMAC for authentication

!IPSEC profile creates the association with transform set and isakmp profile

crypto ipsec profile DMVPN-profile

set transform-set AES256/SHA/TRANSPORT

Step 2. Configure the backup SHDSL link to the Internet:

! HWIC-4SHDSL card is used for backup Internet link. The controller is configured for 4 pairs with ATM IMA.

controller SHDSL 0/2/0

termination cpe

dsl-group 0 pairs 0, 1, 2, 3 ima

shdsl annex A-B

shdsl rate auto

! ATM interface is configured with point-to-point link, IP address will be given by the Internet service provider. VRF Inet-public is configured in the interface.

interface ATM0/2/IMA0.1 point-to-point

ip vrf forwarding Inet-public

ip address 172.38.10.2 255.255.255.252

pvc 5/5

protocol ip 172.38.10.1 broadcast

vbr-rt 8912 8912

oam-pvc manage

encapsulation aal5mux ppp Virtual-Template12

! Virtual template is configured with VRF Inet-public

interface Virtual-Template12

bandwidth 8192

ip vrf forwarding Inet-public

ip unnumbered ATM0/2/IMA0.1

end

! Static route with vrf Inet-public is added to the IP address of the ISP.

ip route vrf Inet-public 0.0.0.0 0.0.0.0 172.38.10.1

Step 3. Configure the tunnel interface:

! Tunnel source interface is configured with ATM0/2/IMA0.1. VRF Inet-public used with the ATM interface is configured as tunnel vrf.

interface Tunnel10

bandwidth 8192

ip address 10.3.0.2 255.255.224.0

no ip redirects

ip mtu 1400

ip nhrp authentication cisco123

ip nhrp map 10.3.0.1 172.36.10.10

ip nhrp map multicast 172.36.10.10

ip nhrp network-id 101

ip nhrp holdtime 600

ip nhrp nhs 10.3.0.1

ip nhrp registration no-unique

ip nhrp shortcut

ip nhrp redirect

ip tcp adjust-mss 1360

ip summary-address eigrp 200 10.6.0.0 255.255.248.0

load-interval 30

tunnel source ATM0/2/IMA0.1

tunnel mode gre multipoint

tunnel key 101

tunnel vrf Inet-public

tunnel protection ipsec profile DMVPN-profile

Step 4. Enable routing for the DMVPN:

!EIGRP is used for the routing over DMVPN. All the interfaces except Tunnel 10 is configured as passive. 10.6.0.0 is the branch LAN network.

router eigrp 200

network 10.3.0.0 0.0.31.255

network 10.6.0.0 0.0.7.255

passive-interface default

no passive-interface Tunnel10

Deploying WAAS for Standard Branch Office

In the standard branch office the Cisco WAE on Cisco Services-Ready Engine (SRE-WAE) is used for application optimization. In this design the external Gigabit Ethernet interface in the Cisco WAE on Cisco Services-Ready Engine module is used for all traffic forwarding to the branch-office router. In the standard branch office the Cisco WAE on the Cisco Services-Ready Engine is installed in slot 2.

Step 1. Configure the IP address and the default gateway for the Cisco WAE on Cisco Services-Ready Engine module:

! Configure the IP address on the service module. This is required to session into the module

interface SM2/0

ip address 2.2.2.2 255.255.255.252

!IP address of the service module used for router communication and the default

service-module external ip address 10.6.1.10 255.255.255.0

service-module ip default-gateway 10.6.1.1

Step 2. Configure Cisco WAE:

!Session into the WAE console from the router command prompt, the default user/password is admin/default

Br-MPLSA-StdCE1#service-module sm2/0 session

!Run the setup on the WAE

NOHOSTNAME#setup

!Configure interception method and time zone

Configure Interception method:WCCP

Enter time zone:PDT -8 0

!Configure the interface and disable DHCP. The IP address and the default gateway are configured from router SM2/0 interface on the router

! The IP address of the CUCM is 10.4.200.15. The dn for the phones in campus starts with 408 prefix. The trunk is configured with video codec h264 to support calls to video phones registered with CUCM.

dial-peer voice 2 voip

destination-pattern 408.......

video codec h264

rtp payload-type cisco-codec-fax-ack 111

rtp payload-type cisco-codec-video-h264 97

session protocol sipv2

session target ipv4:10.4.200.15

incoming called-number 972.......

dtmf-relay rtp-nte

codec g711ulaw

Deploying QoS for Standard Branch Office

Further details about end-to-end QoS and remarking from 6 to 4 class are discussed in the NGEW QoS deployment guide.

Deploying QoS for MPLS WAN Link

Step 1. Configure class maps:

! class-maps are configured to similar to the MPLS-CE in the aggregation

Step 2. Configure the QoS policy map:

! Policy map with queuing and sample bandwidth reservation (bandwidth percentage can be changed based on the traffic profile). Policy-map used for BGP marking is added in the class NETWOK-MGMT-OAM.

policy-map WAN-SP-CLASS-OUTPUT

class VOICE

priority percent 10

class VIDEO-RT-INTERACTIVE

priority percent 23

class NETWORK-MGMT-OAM

bandwidth percent 5

service-policy MARK-BGP

class STREAMING-SIGNALLING

bandwidth percent 17

class CRITICAL-DATA

bandwidth percent 15

class BULK-SCAVENGER

bandwidth percent 5

random-detect

class class-default

bandwidth percent 25

random-detect

Step 3. Configure shaping and apply the QoS:

! Shaping is done to make sure the load does not exceed the bandwidth subscribed from the provider. For Standard branch 10Mbps is recommended bandwidth, shaping is done for the same. The policy with queuing is applied as child policy.

policy-map Int-Gig-SBr

class class-default

shape average 10000000

service-policy WAN

interface GigabitEthernet0/1

ip address 10.4.81.114 255.255.255.252

ip nbar protocol-discovery

duplex auto

speed auto

media-type rj45

service-policy output Int-Gig-SBr

Deploying QoS for DMVPN Tunnel

Step 1. Configure shaping and apply QoS:

! Shaping is done to make sure the load does not exceed the bandwidth subscribed from the provider. SHDSL 4 pair has a maximum bandwidth of 9216 Mbps, the subscribed bandwidth in this example is 8912. The policy with queuing is applied as child policy.

policy-map Int-ATM

class class-default

shape average 8900000

service-policy WAN

!QoS is applied on the ATM0/2/IMA0.1 interface

interface ATM0/2/IMA0.1 point-to-point

ip vrf forwarding Inet-public

ip address 172.38.10.2 255.255.255.252

pvc 5/5

protocol ip 172.38.10.1 broadcast

vbr-rt 8912 8912

oam-pvc manage

encapsulation aal5mux ppp Virtual-Template12

service-policy output Int-ATM

High-End Aggregation

High-end Aggregation can terminate up to 5000 branches which consist of all 4 types of branch profiles. High-end Aggregation requires the highest availability and performance, and will contain redundant components and multiple connections to both MPLS and Internet.

In this design the headend customer edge routers, which are acting as headend group members, are Cisco ASR 1000 Series routers. For High-end aggregation the configuration of Cisco ASR 1000 Series routers shown in Table 7 is used.

Table 7. Configuration of Cisco ASR 1000 Series Routers

Component

Type

Redundancy

Performance

Chassis model

Cisco ASR 1006

No

Based on RP and ESP

ESP

ESP40

Yes

Up to 10 Gbps encrypted

RP

RP2

Yes

The design has Cisco ISR G2 routers acting as keyserver. The keyserver is configured with group policies that are pushed to all group members.

Figure 8. RWAN High-End Aggregation

Deploying Group Encrpted Transport VPN for High-End Aggregation

One of the main differences in high-end vs. standard aggregation is the high availability of six 9s. To have six 9s availability, a redundant keyserver is used in this design. PKI is the mandatory requirement for high-end and standard branch offices.

The MPLS cloud interconnects the headend to the branch-office sites. The customer edge routers on each site act as group members. The headend customer edge router is also acting as a group member. All these routers are grouped into a GDOI group. Therefore all keyservers and group members are part of the same VPN. For redundancy and high availability, there are two keyservers.

Keyserver Configuration

For redundancy, two keyservers are used in this design.

Primary Keyserver Configuration

The keyserver configuration procedure is similar to that for standard aggregation. Please follow the step-by-step procedure defined for standard aggregation except for the following:

Step 1. Generate an RSA key for rekey on co-op keyservers

The cryptography key used for rekey must be generated with the export option; the same key is imported into the secondary keyserver:

! REKEYRSA" is the name of the key.

crypto key generate rsa modulus 1024 label REKEYRSA exportable

Note: It is a good practice not to save the exported keys anywhere; instead import them to the other routers directly by copying and pasting from the console of the first keyserver. It should be done through a secure computer. If the keys are compromised, the security of the network will be undermined.

Step 2. Configure the GDOI group with a secondary keyserver address:

! 10.4.11.210 is the loopback ip address of the local (primary) KS. 10.4.11.211 is the ip address of the secondary KS server. The KS with higher priority number is elected as primary.

PKI is the more secure and scalable method of authentication. The following steps must be repeated on all devices in the network.

Note: rsa-sig is the default authentication method for an ISAKMP policy.

Unique RSA keys must be generated on all keyservers and group members as follows:

crypto key generate rsa general keys label pki_KS modulus 4096

All keyserver and group members must be configured with a trustpoint:

crypto pki trustpoint HE-PKI

! The URL is the address of the PKI server

enrollment url http://10.4.226.202:80

revocation-check none

! PKI_KS is the label of the generated keys

rsakeypair PKI_KS

Authenticate to the CA server and download the signed certificate:

crypto pki authen HE-PKI

crypto pki enroll HE-PKI

Step 3. Configure IPsec parameters:

crypto ipsec transform-set 3DES esp-aes 256 esp-md5-hmac

!

crypto ipsec profile GN

set security-association lifetime seconds 3600

set transform-set 3DES

!

Step 4. Import the RSA key that is used for rekey from the primary keyserver:

! The key is exported first from the primary KS.Execute the below command at the configuration prompt of the primary KS. "cisco123" is the passcode

crypto key export rsa REKEYRSA pem terminal 3des cisco123

% Key name: REKEYRSA

Usage: General Purpose Key

Key data:

-----BEGIN PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuKbSROW7eSqxC+IjB0ipplVkT

...

...

...

NtSRSR51ooWQW5CXRwIDAQAB

-----END PUBLIC KEY-----

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,B2CE8D823EE52FDC

Zi82W/lX3u0WiHN0ezi6qH5Jeo1baptdqzLlVk2jioAyZabWJqc7+svFY+DJ8rT+

...

...

...

p3dHnQSBaLu1pH3YI9gebQhMgqH6Ie00ucEYVl4/jArzUjifjdCvkQ==

-----END RSA PRIVATE KEY-----

!Execute the below command on the configuration prompt of the Secondary KS and paste the key copied from the export.

crypto key import rsa REKEYRSA pem terminal cisco123

% Enter PEM-formatted public General Purpose key or certificate.

% End with a blank line or "quit" on a line by itself.

<Paste the public key from the output of the key export. Paste

the hexadecimel information the linesmarkedBEGIN and END.>

quit

% Enter PEM-formatted encrypted private General Purpose key.

% End with "quit" on a line by itself.

<Paste the private key from the output of the key export. Paste

the hexadecimel information the linesmarkedBEGIN and END.>

quit

!

Repeat the process for all other Key Servers.

Step 5. Configure GDOI group:

! 10.4.11.211 is the loopback ip address of the local (secondary) KS. 10.4.11.210 is the ip address of the secondary KS server. The priority number of this KS is configured with a lower number.

crypto gdoi group GN2

identity number 1102

server local

rekey algorithm aes 128

rekey lifetime seconds 86400

rekey retransmit 10 number 2

rekey authentication mypubkey rsa REKEYRSA

registration interface Loopback0

registration interface GigabitEthernet0/1

sa ipsec 1

profile GN

match address ipv4 ACL_GN2

no replay

address ipv4 10.4.11.211

redundancy

local priority 1

peer address ipv4 10.4.11.210

Step 6. Configure ACL:

Everything that is allowed in the ACL is traffic to be encrypted. Anything denied will go unencrypted:

ip access-list extended ACL_GN2

deny tcp any eq bgp any

deny tcp any any eq bgp

deny udp any eq 848 any

deny udp any any eq 848

deny eigrp any any

deny udp any any eq ntp

deny udp any eq ntp any

deny udp any any eq snmp

deny udp any eq snmp any

deny udp any any eq syslog

deny udp any eq syslog any

deny tcp any host 10.4.226.202 eq www

deny tcp host 10.4.226.202 eq www any

deny pim any host 224.0.0.13

deny igmp any any

deny tcp any eq telnet any

deny tcp any any eq telnet

deny udp any eq tftp any

deny udp any any eq tftp

permit ip any any

Group Member Configuration on the Aggregation Customer Edge (Cisco ASR 1000)

Group member configuration is similar to the group member configuration in the standard design section. However, routing is slightly different, as described in the following section.

Routing on Group Member

The group member is running eBGP to connect to the service provider edge. The internal network of the RWAN aggregation is running EIGRP. Route redistribution is configured between EIGRP and BGP for high-end aggregation because there are two headend routers for redundancy. Because it is possible to get the same route from two different providers into the LAN, it is necessary to apply an ACL to avoid looping (Figure 9). The configuration follows.

Figure 9. Routing Desing for High-End Aggregation

router eigrp 300

distribute-list Block-CE in

default-metric 100000 100 255 1 1500

network 10.4.0.0 0.0.255.255

redistribute bgp 65511

passive-interface default

no passive-interface Port-channel1

no passive-interface GigabitEthernet0/0/1

eigrp router-id 10.4.11.204

!

router bgp 65511

bgp router-id 10.4.11.204

bgp log-neighbor-changes

neighbor 10.4.81.1 remote-as 65000

!

address-family ipv4

network 10.4.81.0 mask 255.255.255.252

redistribute eigrp 300

neighbor 10.4.81.1 activate

exit-address-family

!

!

ip access-list standard Block-CE

deny 10.5.0.0 0.0.255.255

deny 10.4.81.0 0.0.0.255

deny 10.4.82.0 0.0.0.255

permit any!

Deploying DMVPN for High-End Aggregation

In this design dual hubs are used for redundancy and high availability. The spokes terminate on both hubs and have routing preference to connect to the primary hub.

The authentication method on the hub is both certificate and preshared. Although certificate is the preferred method, it might not be feasible for some of the mobile client routers to download the certificate. In that case there are two options: either have the certificate loaded on the box before installing it on the mobile site or use the preshared key to authenticate the peer.

The routing protocol used over DMVPN is BGP. The hub routers also act as the route reflectors. All spokes are defined as route-reflector clients. Route redistribution is configured between EIGRP used internally in the RWAN aggregation and BGP with the spokes over the DMVPN tunnel.

Following is the BGP configuration on the hub. If the BGP autonomous system is unique for each of the standard branch-office routers, you should use eBGP instead of iBGP:

router bgp 1000

bgp router-id 99.2.1.1

bgp log-neighbor-changes

bgp graceful-restart restart-time 120

bgp graceful-restart stalepath-time 360

bgp graceful-restart

timers bgp 120 480

redistribute connected

neighbor spoke1 peer-group

neighbor spoke1 remote-as 1000

neighbor spoke1 update-source Tunnel1

neighbor spoke1 route-reflector-client

neighbor spoke1 next-hop-self

neighbor spoke2 peer-group

neighbor spoke2 remote-as 1000

neighbor spoke2 update-source Tunnel1

neighbor spoke2 route-reflector-client

neighbor spoke2 next-hop-self

neighbor spoke3 peer-group

neighbor spoke3 remote-as 1000

neighbor spoke3 update-source Tunnel1

neighbor switch peer-group

neighbor switch remote-as 1000

neighbor switch update-source GigabitEthernet0/0/1

neighbor switch route-reflector-client

neighbor switch next-hop-self

neighbor 21.1.10.1 peer-group spoke2

neighbor 21.1.10.2 peer-group spoke2

DMVPN Hub-B Configuration

The configuration procedure is same as the previous steps 1-3.

Deploying WAAS for High-End Aggregation

In high-end aggregation the Cisco WAE-7371 appliance is used as a Cisco WAAS Central Manager deployed in the data center. The Cisco WAE-7371 can manage up to 2000 devices. WAE clustering with the N + 1 redundancy model is used for the WAE appliance devices deployed in the RWAN aggregation. The Cisco WAE-7371 appliance is used based on the hardware capacity. The sizing details are provided in Table 8. A more comprehensive, interactive WAAS sizing tool is available at cisco.com:
http://tools.cisco.com/WAAS/sizing.

Table 8. Sizing Details for Cisco WAE-7371

Device

Maximum Optimized TCP Connections

Maximum Recommended WAN Link (Mbps)

Maximum Optimized Throughput (Mbps)

Maximum Peers Devices

Cisco WAE-7341

12000

300

1000

1400

Cisco WAE-7371

50000

1000

2500

2800

The number of Cisco WAE appliances is based on the total number of users online during an hour window and the number of TCP connections per user. A minimum of four Cisco WAE-7371 appliances are required for the high-end aggregation. All the devices are connected to the RWAN distribution switch. Please refer to the section "Deploying WAAS for Standard Aggregation" for the step-by-step configuration procedure.

Deploying QoS for High-End Aggregation

In high-end aggregation the QoS classes mentioned in Table 9 are used. Most of the service providers support only six classes. The broadcast video class is re-marked in the WAN interface before traffic is sent to the provider. In this design, because Group Encrpted Transport VPN is used in the WAN interface, the DSCP value re-marking is done on the encrypted packet header. When the packet is decrypted in the remote site, the original DSCP value - in this case CS5 for broadcast video - will be preserved. No re-marking is required in the remote site. The same is applicable for the DMVPN link also. Further details about end-to-end QoS and remarking are discussed in the NGEW QoS deployment guide.

Table 9. QoS Classes

Layer 3

Layer 2

Service Class

PHB

DSCP

IPP

CoS

Network control

CS6

48

6

6

Telephony

EF

46

5

5

Signaling

CS3

24

3

3

Multimedia conferencing

AF41, 42, and 43

34, 36, and 38

4

4

Real-time interactive

CS4

32

4

4

Multimedia streaming

AF31, 32, and 34

26, 28, 30

3

3

Broadcast video

CS5

40

5

5

Low-latency data

AF21, 22, and 23

18, 20, 22

2

2

OAM

CS2

16

2

2

Bulk data

AF11, 12, and 13

10, 12, 14

1

1

Scavenger

CS1

8

1

1

Default "best effort"

DF

0

0

0

Deploying QoS for MPLS Customer Edge

Step 1. Configure class maps:

! Configure the class maps, routing protocol used also should be included in the network control. NBAR is used to identify BGP traffic and dscp value is set to cs6.

! Shaping is done to make sure the load does not exceed the bandwidth subscribed from the provider. For high end aggregation 1000Mbps is recommended bandwidth, shaping is done for the same. The policy with queuing is applied as child policy.

policy-map Int-Gig-Agg-HE

class class-default

shape average 1000000000

service-policy WAN

interface GigabitEthernet0/1

ip address 10.4.81.2 255.255.255.252

duplex auto

speed auto

media-type rj45

service-policy output Int-Gig-Agg-HE

Deploying QoS for DMVPN Hub

For DMVPN, traffic shaping is configured in QoS for the backup link of the standard branch offices to the aggregation and primary link of the mobile branch offices. With limitations that exist today, the best approach is to group similar branch offices into one policy and shape on that group. Because both traffic policing and queuing are required, a two-level hierarchy is used: policing on the child level and shaping on the parent level.

For the step-by-step configuration procedure, refer to the section "Deploying QoS in DMVPN hub for Standard Aggregation".

Deploying Remote Sites for High-End Aggregation

Three different types of remote sites are supported in the RWAN high-end or large-scale aggregation (Table 10).

Table 10. Types of Remote Sites with High-End Aggregation

Branch-Office Type

Platform

WAN Link

Wan Optimization

Secure Connectivity

Mobile

Cisco 1941 ISR

Single: 3G

WAAS-Express

DMVPN

Standard

Cisco 2951 ISR

Dual: MPLS and Internet

SRE-WAE

Group Encrypted Transport VPN/DMVPN

High end

Two Cisco 3945 ISRs

One MPLS link on each router

SRE-WAE

Group Encrypted Transport VPN

Ultra high end

Two Cisco ASR 1001 Routers

One MPLS link on each router

WAE appliance

Group Encrypted Transport VPN

Mobile Branch Office

The mobile branch office has a Cisco 1941 ISR with a 3G wireless connection to the Internet as the WAN link and DMVPN for secure connectivity to the RWAN aggregation. Cisco WAAS Express embedded with Cisco IOS Software is used for WAN optimization, which is suitable for low-bandwidth (< 2 Mbps) WAN links. Deployment details are provided in the section for mobile branch-office standard aggregation.

Standard Branch Office

The standard branch office has a Cisco 2951 ISR with a MPLS connection to the provider as the primary WAN link and DSL (ADSL/SHDSL) as the backup connection to the Internet. Cisco Unified Communications Manager Express is used for providing IP telephony services to the branch office. Cisco Unified Communications endpoints, including Cisco Unified IP Phones 9971 videophones, are included in this branch-office design. Voicemail service is provided to the branch office using the Cisco Unity Express ISM (ISM-CUE) installed in the router. The Cisco WAE on the Cisco Services-Ready Engine (SRE-WAE) module is used for enabling WAN optimization. A PVDM3 DSP installed in the Cisco 2951 is used for providing videoconferencing services to the videophones registered to the Cisco Unified Communications Manager Express. Deployment details are provided in the section for standard aggregation for the standard branch office .

High-End Branch Office

The high-end branch office has redundant Cisco 3945 ISRs with Hot Standby Router Protocol (HSRP) enabled on the LAN interface. Both the routers have a single MPLS connection to different providers using a Gigabit Ethernet interface as the WAN link with bandwidth provisioned to 100 Mbps. Rich-media services such as video surveillance, Survivable Remote Site Telephony (SRST), video streaming, and different types of endpoints are included in this design. The centralized Cisco Unified Communications Manager deployed in the data center provides IP telephony services to the branch office. A PVDM3 installed in Cisco 3945 is used for providing local videoconferencing services to the Cisco videophones such as the Cisco Unified IP Phone 9971 registered to Cisco Unified Communications Manager and Cisco TelePresence
® System EX90 (EX90), E20, and Cisco TelePresence Movi registered to the Cisco TelePresence Video Communication Server Expressway (VCS Expressway). Cisco WAE on Cisco Services-Ready Engine (SRE-WAE) module installed in both of the branch-office routers enables the WAN optimization service in cluster mode. PfR is used to provide application-level intelligent routing and load distribution between the two MPLS links. PfR deployment details are provided in the NGEW PfR Implementation guide. Video deployments with medianet features are provided in the NGEW Video Implementation guide.

Figure 10. High-End Branch-Office Topology

Migration from Services-Ready Branch-Office Architecture

WAN Link Migration from DS-3 to Gigabit Ethernet

Existing WAN links based on DS-3 can be migrated to Ethernet-based MPLS or Metro Ethernet services with the Cisco 3945 ISR. The Cisco 3945 has three onboard Gigabit Ethernet interfaces that provide an easy migration option to an Ethernet-based WAN link. An Ethernet-based WAN link provides flexibility to add bandwidth. In the high-end branch-office design, a 100-Mbps WAN link is used; it can be upgraded to higher bandwidth later cost-effectively without new CPE hardware. Traffic shaping needs to be configured in the QoS to ensure the load does not exceed the subscribed bandwidth from the service provider.

An example configuration for migrating from a DS-3 to an Ethernet-based WAN link follows:

In a high-end branch-office, HSRP is configured on the LAN interfaces of the branch-office routers to provide first-hop redundancy for all the branch-office IP endpoints. An HSRP virtual IP that is shared between two branch-office routers is configured as the default gateway for all the endpoints. HSRP operates in active/standby mode; based on the HSRP priority configured, one of the branch-office routers is active and the other router is standby. In this design the HSRP priority is configured in such a way that router A is configured with higher priority for the data VLAN interface and router B is configured for the voice VLAN. So, router A would be the active router for all the hosts configured in the data VLAN and router B for voice and video endpoints:

!Virtual IP address 10.5.18.100 is configured as default gateway for all the voice/video endpoints

interface GigabitEthernet0/2.1

description Vlan-Data

encapsulation dot1Q 31

ip address 10.5.17.2 255.255.255.0

standby 1 ip 10.5.17.100

standby 1 priority 100

standby 1 preempt

standby 1 track 1 decrement 10

interface GigabitEthernet0/2.2

description Vlan-Voice

encapsulation dot1Q 32

ip address 10.5.18.2 255.255.255.0

ip pim sparse-mode

standby 1 ip 10.5.18.100

standby 1 priority 120

standby 1 preempt

standby 1 track 1 decrement 10

ip tcp adjust-mss 1360

Transit Network

The transit network is configured between the two routers. This network is used for router-router communication and to avoid hair-pinning. This network is used for PfR also; for more information, refer to the NGEW PfR Deployment guide. The transit network should use an additional subinterface on the router interface that is already being used for data, voice, or the physical interface, if available. The configuration follows:

! Transit network configuration in Router A.

interface GigabitEthernet0/2.10

description Transit network

ip address 10.5.16.1 255.255.255.252

Transit network configuration in Router B.

interface GigabitEthernet0/2.10

description Transit network

ip address 10.5.16.2 255.255.255.252

Routing Deployment for High-End Branch Office

BGP is used as the routing protocol for MPLS with the provider edge devices. The MPLS carrier gives the autonomous system number (ASN) for the BGP. The MPLS provider edge router uses a different BGP ASN, so eBGP is used between them. EIGRP is used between the two branch-office routers so that full reachability to all the remote sites can be achieved. BGP routes from the MPLS are redistributed to the EIGRP. The configuration follows:

! BGP ASN 65534 is used and PE's ASN is 65400. The local router MPLS WAN link IP is 10.4.82.26 and PE is 10.4.82.25. All the LAN networks 10.5.17.0- 10.5.20.0 is configure in the BGP.

router bgp 65534

bgp router-id 10.5.16.253

bgp log-neighbor-changes

network 10.4.82.24 mask 255.255.255.252

network 10.5.16.253 mask 255.255.255.255

network 10.5.17.0 mask 255.255.255.0

network 10.5.18.0 mask 255.255.255.0

network 10.5.19.0 mask 255.255.255.0

network 10.5.20.0 mask 255.255.255.0

neighbor 10.4.82.25 remote-as 65400

no auto-summary

! EIGRP 200 is used between the two routers. A network statement matching the local interface IP address is used. BGP 65534 is redistributed in EIGRP. All the interface is configured as passive except the transit network.

router eigrp 300

default-metric 100000 100 255 1 1500

network 10.5.16.0 0.0.7.255

passive-interface default

redistribute bgp 65534

no passive-interface GigabitEthernet0/2.10

eigrp router-id 10.5.16.253

!

Deploying Group Encrpted Transport VPN in the High-End Branch Office

Step 1. Configure the ISAKMP and IPsec. PKI authentication is used for Group Encrpted Transport VPN in this design:

! Same as the GETVPN deployment for Standard branch in Standard aggregation

Step 2. Configure the ISAKMP and IPsec. PKI authentication is used for Group Encrpted Transport VPN in this design:

!Same as the GETVPN deployment for Standard branch in Standard aggregation

Step 3. Configure the GDOI group and associate it with the crypto map:

! Same as the GETVPN deployment for Standard branch in Standard aggregation

Step 4. Apply the crypto map in the MPLS WAN interface:

interface GigabitEthernet0/1

bandwidth 100000

ip address 10.4.82.26 255.255.255.252

crypto map GN2

Deploying WAAS in the High-End Branch Office

In the high-end branch office, the Cisco WAE on Cisco Services-Ready Engine (SRE-WAE) is used for application optimization. In this design the external Gigabit Ethernet interface in the Cisco WAE on the Cisco Services-Ready Engine module is used for all traffic forwarding to the branch-office router.

Deploying Cisco WAAS on Router A

Step 1. Configure the IP address and the default gateway for the Cisco WAE on Cisco Services-Ready Engine module in router A WAE1:

! Configure the IP address on the service module. This is required to session into the module

interface SM2/0

ip address 1.1.1.2 255.255.255.252

!IP address of the service module used for router communication and the default gateway. The default gateway configured here is the HSRP IP address of the data vlan

service-module external ip address 10.5.17.10 255.255.255.0

service-module ip default-gateway 10.5.17.100

Step 2. Configure Cisco WAE:

This is similar to the standard branch only the IP address will be 10.5.17.10

Step 3. Configure the GRE negotiated return:

! GRE negotiated return is used in all WAE devices

egress-method negotiated-return intercept-method wccp

Step 4. Configure the WCCP router list:

!WCCP router list is configured with loopback address of both the routers

! The IP address of the voice vlan interface is configured as IP source address. Max phones is configured as 200 and max dns as 400.

call-manager-fallback

video

max-conferences 8 gain -6

transfer-system full-consult

ip source-address 10.5.10.100 port 2000

max-ephones 200

max-dn 400

system message primary VIDEO-SCCP-SRST

Deploying QoS for High-End Branch Office

Further details about end-to-end QoS and remarking are discussed in the NGEW QoS deployment guide.

Step 1. Configure class maps:

Configure the class map, routing protocol used also should be included in the network control. BGP is not marked with dscp value by default, so NBAR is used to identify BGP traffic and dscp value is set to cs6.

class-map match-any VOICE

match ip dscp ef

class-map match-any VIDEO-RT-INTERACTIVE

match ip dscp cs4 af41

class-map match-any NETWORK-MGMT-OAM

match ip dscp cs2 cs6

class-map match-any STREAMING-SIGNALLING

match ip dscp cs3 af31

class-map match-any CRITICAL-DATA

match ip dscp af21 af22 af23

class-map match-any BULK-SCAVENGER

match ip dscp cs1 af11

class-map match-any BROADCAST-VIDEO

match ip dscp cs5

class-map match-any BEST-EFFORT

match ip dscp default

class-map match-any BGP-Routing

match protocol bgp

!

! Policy map is configured to set the dscp value to cs6.

policy-map MARK-BGP

class BGP-Routing

set dscp cs6

! NBAR is enabled on the WAN interface connecting to the MPLS

interface GigabitEthernet0/1

ip address 10.4.81.10 255.255.255.252

ip nbar protocol-discovery

duplex auto

speed auto

media-type rj45

Step 2. Configure the QoS policy map:

! Policy map with class cs5 (Broadcast video) remarked to af41 to match with Service Provider 6 class offering. Policy map with queuing and sample bandwidth reservation. Policy-map used for BGP marking is added in the class NETWOK-MGMT-OAM.

policy-map WAN-SP-CLASS-OUTPUT

class VOICE

priority percent 10

class VIDEO-RT-INTERACTIVE

priority percent 23

class NETWORK-MGMT-OAM

bandwidth percent 5

service-policy MARK-BGP

class BROADCAST-VIDEO

set ip dscp af41

bandwidth percent 7

class STREAMING-SIGNALLING

bandwidth percent 10

class CRITICAL-DATA

bandwidth percent 15

class BULK-SCAVENGER

bandwidth percent 5

random-detect

class class-default

bandwidth percent 25

random-detect

Step 3. Configure shaping and apply the QoS:

! Shaping is done to make sure the load does not exceed the bandwidth subscribed from the provider. For high end 100Mbps is recommended bandwidth, shaping is done for the same. The policy with queuing is applied as child policy.

policy-map Int-Gig-HE

class class-default

shape average 100000000

service-policy WAN

interface GigabitEthernet0/1

bandwidth 100000

ip address 10.4.81.10 255.255.255.252

duplex auto

speed auto

media-type rj45

service-policy output Int-Gig-HE

Ultra-High-End Branch Office

The ultra-high-end branch office has redundant Cisco ASR 1001 routers with HSRP enabled on the LAN interface (Figure 11). Both the routers have a single MPLS connection to different providers using a Gigabit Ethernet interface as the WAN link with bandwidth provisioned to 1 Gbps. The centralized Cisco Unified Communications Manager deployed in the data center provides IP telephony services to the branch office. The Cisco 3945 is used for providing rich-media services such as SRST and videoconferencing. Different types of IP telephony endpoints are included in this design. A PVDM3 installed in the Cisco 3945 provides local videoconferencing services to the Cisco videophones such as the Cisco Unified IP Phone 9971 registered to Cisco Unified Communications Manager and EX90, E20, and Cisco TelePresence Movi registered to the Cisco VCS Expressway. Two Cisco WAE-674-K9 appliances installed in the branch office enable the WAN optimization service in cluster mode. PfR provides application-level intelligent routing and load distribution between the two MPLS links. PfR deployment details are provided in the NGEW PfR Implementation guide.

Figure 11. Ultra-High-End Branch-Office Topology

Deploying HSRP

In the ultra-high-end branch office, HSRP is configured on the LAN interfaces of the branch-office routers to provide first-hop redundancy for all the branch-office IP endpoints. The HSRP virtual IP that is shared between two branch-office routers is configured as the default gateway for all the endpoints. HSRP operates in active/standby mode; based on the HSRP priority configured, one of the branch-office routers is active and the other router is standby. In this design the HSRP priority is configured in such a way that router A is configured with higher priority for the data VLAN interface and router B is configured for the voice VLAN. So, router A is the active router for all the hosts configured in the data VLAN and router B is the active router for voice and video endpoints:

!Virtual IP address 10.5.25.100 is configured as default gateway for all the hosts

interface GigabitEthernet0/0/1.1

description Vlan-Data

encapsulation dot1Q 61

ip address 10.5.25.1 255.255.255.0

ip wccp 61 redirect in

ip pim sparse-mode

standby 1 ip 10.5.25.100

standby 1 priority 110

standby 1 preempt

standby 1 track 1 decrement 10

!

interface GigabitEthernet0/0/1.2

description Vlan-Voice

encapsulation dot1Q 62

ip address 10.5.26.1 255.255.255.0

standby 1 ip 10.5.26.100

standby 1 priority 110

standby 1 preempt

standby 1 track 1 decrement 10

ip tcp adjust-mss 1360

!HSRP configuration in BR-CE2. BR-CE2 is configured with higher priority for Voice vlan.

!Virtual IP address 10.5.26.100 is configured as default gateway for all the voice/video endpoints

interface GigabitEthernet0/0/1.1

description Vlan-Data

encapsulation dot1Q 61

ip address 10.5.25.2 255.255.255.0

ip wccp 61 redirect in

ip flow ingress

ip flow egress

ip pim sparse-mode

standby 1 ip 10.5.25.100

standby 1 priority 100

standby 1 preempt

standby 1 track 1 decrement 10

!

interface GigabitEthernet0/0/1.2

description Vlan-Voice

encapsulation dot1Q 62

ip address 10.5.26.2 255.255.255.0

ip flow ingress

ip flow egress

ip pim sparse-mode

standby 1 ip 10.5.26.100

standby 1 priority 120

standby 1 preempt

standby 1 track 1 decrement 10

ip tcp adjust-mss 1360

Transit Network

The transit network is configured between the two routers. This network is used for router-router communication and to avoid hair-pinning. This network is used for PfR also; for more information, please refer to the PFR Deployment guide.The transit network should use an additional subinterface on the router interface that is already being used for data, voice, or physical interface, if available. The configuration follows:

! Transit network configuration in BR-CE1.

interface GigabitEthernet0/0/1.5

encapsulation dot1Q 60

ip address 10.5.24.1 255.255.255.252

!Transit network configuration in BR-CE2.

interface GigabitEthernet0/0/1.5

encapsulation dot1Q 60

ip address 10.5.24.2 255.255.255.252

Routing Deployment for Ultra-High-End Branch Office

BGP is used as the routing protocol for MPLS with the provider edge. The MPLS carrier gives the ASN for the BGP. The MPLS provider edge router uses a different BGP ASN, so eBGP is used between them. EIGRP is used between the two branch-office routers so that full reachability to all the remote sites can be achieved. BGP routes from the MPLS are redistributed to the EIGRP. The configuration follows:

! BGP ASN 65402 is used and PE's ASN is 65000. The local router MPLS WAN link IP is 10.4.81.138 and PE is 10.4.81.137. All the LAN networks 10.5.25.0- 10.5.28.0 is configured in the BGP.

router bgp 65402

bgp router-id 10.5.24.253

bgp log-neighbor-changes

network 10.4.81.136 mask 255.255.255.252

network 10.5.24.253 mask 255.255.255.255

network 10.5.25.0 mask 255.255.255.0

network 10.5.26.0 mask 255.255.255.0

network 10.5.27.0 mask 255.255.255.0

network 10.5.28.0 mask 255.255.255.0

neighbor 10.4.81.137 remote-as 65000

! EIGRP 200 is used between the two routers. A network statement matching the local interface IP address is used. BGP 65402 is redistributed in EIGRP. All the interfaces are configured as passive except the transit network.

router eigrp 200

default-metric 100000 100 255 1 1500

network 10.5.24.0 0.0.7.255

redistribute bgp 65402

passive-interface default

no passive-interface GigabitEthernet0/0/1.5

eigrp router-id 10.5.24.253

!

Deploying Group Encrpted Transport VPN on the Ultra-High-End Branch Office

The Group Encrpted Transport VPN deployment steps are similar to those for the high-end branch office. Please refer to the procedure for deploying Group Encrpted Transport VPN for the high-end branch office for step-by-step instructions.

Deploying WAAS in the Ultra-High-End Branch Office

In the ultra-high-end branch office, the Cisco WAE appliance is used for application optimization. In this design two Cisco WAE-674 appliances are used for high availability and load sharing. The appliances are connected to the data VLAN of the branch office.

Deploying WAE

This design is similar to the WAE deployment in the standard aggregation; a negotiated return GRE tunnel is used from the Cisco WAE to the router. Traffic to be reinjected into the network uses a negotiated return WCCP GRE tunnel egress method back to the originating router. This method is preferred because it allows the Cisco WAE appliances to be located one or more routed hops away from the WCCP router. A default mask is used in the WAE in the configuration that follows.

For step-by-step instructions, please refer to "Configuring WAE on the Standard Aggregation".

Enabling WAAS on the BR-CE1

This design uses WCCP 61 inbound on LAN-facing interfaces to match unoptimized data from the clients. WCCP 62 is used inbound on WAN-facing interfaces, matching optimized data sourced from the data center.

Step 1. Confgure WCCP on the router:

! Create an extended access-list for the traffic which needs to be optimized

ip access-list extended WAAS-REDIRECT-LIST

deny tcp any any eq 22

deny tcp any eq 22 any

deny tcp any eq telnet any

deny tcp any any eq telnet

deny tcp any eq bgp any

deny tcp any any eq bgp

deny tcp any any eq 123

deny tcp any eq 123 any

permit tcp any any

!Create a standard access-list with IP address of WAE-1 & WAE-2 for HA and load balancing

ip access-list standard WAE

permit 10.5.25.10

permit 10.5.25.11

!Enable wccp 61,62 with redirect list and WAE access-list

ip wccp 61 redirect-list WAAS-REDIRECT-LIST group-list WAE

ip wccp 62 redirect-list WAAS-REDIRECT-LIST group-list WAE

Step 2. Enable WCCP redirection on the interface:

! Enable wccp 62 redirect on the WAN interface

interface GigabitEthernet0/0/0

bandwidth 10000

ip address 10.4.81.138 255.255.255.252

ip mtu 1400

ip wccp 62 redirect in

ip pim sparse-mode

load-interval 30

negotiation auto

crypto map GN2

! Enable wccp 61 redirect on the LAN interface, this is enabled only on the Data Vlan Interface

interface GigabitEthernet0/0/1.1

description Vlan-Data

encapsulation dot1Q 61

ip address 10.5.25.1 255.255.255.0

ip wccp 61 redirect in

ip flow ingress

ip flow egress

ip pim sparse-mode

standby 1 ip 10.5.25.100

standby 1 priority 110

standby 1 preempt

standby 1 track 1 decrement 10

Deploying WAAS on BR-CE2

Please follow the previous steps 1 and 2 for the BR-CE1.

Deploying Rich-Media Services for Ultra-High-End Branch Office

The Cisco 3945 is used in the ultra-high-end branch office for providing SRST service for the branch-office users. A PVDM3 DSP module is also installed in this router to provide videoconferencing services for the branch office. Please refer to the NGEW Video Implementation guide for the configuration procedure for the videoconferencing service.

! The IP address of the ISR-G2 voice vlan interface is configured as IP source address. Max phones is configured as 200 and max dns as 400.

call-manager-fallback

video

max-conferences 8 gain -6

transfer-system full-consult

ip source-address 10.5.25.10 port 2000

max-ephones 200

max-dn 400

system message primary VIDEO-SCCP-SRST

Deploying QoS for Ultra-High-End Branch Office

The QoS deployment procedure is the same as that for the high-end branch office. QoS shaping is done on the bandwidth provisioned in the WAN interface. Further details about end-to-end QoS and remarking are discussed in the NGEW QoS deployment guide.

Step 2. Configure shaping and apply the QoS:

! Shaping is done to make sure the load does not exceed the bandwidth subscribed from the provider. For high end 100Mbps is recommended bandwidth, shaping is done for the same. The policy with queuing is applied as child policy.